fre3vo: IRC with @agrabren and #teamwin
Here is a pretty good transcript of what was discussed tonight. Some stuff is missing, full transcript may be posted later.
[19:38] <@agrabren> So there are a couple of big questions, and sadly, a few we can't answer yet.
[19:40] <@agrabren> Yes, I called it fre3vo. In tribute to Shift.
[19:41] <@agrabren> It utilizes a hole we found in the software on the EVO 3D.
[19:42] <@agrabren> The reason we're being so secretive about the hole is because we don't want forced OTAs to close it.
[19:42] <@agrabren> It's a serious security vulnerability, beyond the scope of getting root.
[19:42] <@agrabren> As for the "violent" nature of it, we found a hole and tossed in a grenade.
[19:42] <@agrabren> Blew my phone to s***.
[19:43] <@agrabren> But in blowing it to s***, we confirmed that we had, in fact, found a way in that we could exploit.
[19:43] <@agrabren> After a factory reset of the device (I managed to get Android to only mount /data as ro. Let me tell you, this *will* f*** you up)
[19:44] <@agrabren> We stepped back into the hole with flashlights.
[19:44]<@agrabren> After a lot of snooping around inside the guts, I found a way to get adbd to run as root.
[19:44] <@agrabren> What devices will this work on? Well, the EVO 3D. We believe it will work on the Sensation 4G.
[19:45] <@agrabren> I don't believe this particular hole will work on the old sense 1.0 devices.
[19:47] <@agrabren> Is this specific to android or could it be used on generic linux os's? We can't answer this question at this time.
[19:48] <@agrabren> The reason we can't answer is we really want everyone to be able to take advantage of the hole, instead of it being patched.
[19:48] <@agrabren> We're talking days at most.
[19:49] <@agrabren> It should apply to some other devices, but there will be work on a device-by-device basis.
[19:50]<@agrabren> We don't know exactly how similar the devices are in the software, so we don't know if the internal offsets are different.
[19:51] <@agrabren> We are using a smart algorithm for protecting the devices from things going wrong. It only exploits if everything checks out.
[19:53] <@agrabren> We haven't talked with anyone about this stuff yet.
[19:54] <@agrabren> I do actually have a real job, as well as a family.
[19:55] <@agrabren> So, let's go ahead with questions...
[19:56] <+momentdroid> i'll ask the question basically everyone wants to hear, eta? lol
[19:56] <@agrabren> The ETA is likely this weekend. Probably late weekend.
[19:58] <@agrabren> Will this exploit cause damage: No. I don't like dangerous.
[20:02] <@agrabren> Can this exploit be reversed? Because we're only talking temp-root, it is reverted on reboot.
[20:02] <@agrabren> When we get to perm root, that will also be reversable.
[20:02] <@agrabren> My next work is to help unlock the device.
[20:05] <@agrabren> We don't believe it will work on the EVO 4G.
[20:06] <@agrabren> The exploit will be first sent to the vendors involved for them to fix before the rest of the world.
[20:07] <@agrabren> Sensation 4G: We believe it will work there. I need a person in North Austin willing to help with this, since I don't have one.
[20:07] <@agrabren> Otherwise, it will happen after the EVO 3D one comes out.
[20:10] <@agrabren> Joshua, I was looking for you to field all the questions on s-off, and what nand-locked devices are like.
[20:10] <@agrabren> Short of "where are we at for s-off".
[20:11] <@joshua_> Sure. This device is eMMC, and also has a signed bootloaer. This means that S-OFF is a ways further out than just soft root.
[20:11] <@joshua_> I can answer from my experience working closely with the AlphaRev X team that S-OFF on Sensation is goign to be harder than previous devices we've worked with.
[20:11] <@joshua_> I think EVO 3D is very similar to Sensation, so I suspect the same to be true there.
[20:12] <@joshua_> Someone asked me what eMMC is: Older phones (EVO 4G) are based on NAND flash; eMMC is a different type of flash.
[20:12] <@joshua_> eMMC has different types of write protection that we haven't worked with before.
[20:13] <@agrabren> And we plan to work together to solve some of these issues.
[20:15] <@agrabren> you think this particular exploit will eventually lead to s-off, or is it too early to tell?
[20:15] <@agrabren> (Sending this one to joshua_
[20:15] <@joshua_> agrabren, the AlphaRevX exploit requires userspace root, and that was one of the big things holding it back on gbread
[20:16] <@joshua_> so I guess the short answer is "yes, this will pave the way, but no guarantees"
[20:16] <@joshua_> "it doesn't directly make it possible, but it makes it not impossible"
[20:16] <@agrabren> Eyeballer: Please field the often question: Can we be beta testers, how do we join #teamwin?
[20:16] <@joshua_> I'll open the floor up for more questions in a moment. Please try to keep them related.
[20:17] <@eyeballer> agrabren: seems to be the question of the day =P
[20:18] <@eyeballer> #teamwin was formed back when shinzul and toastcfh were working on reverse engineering wimax from sense to aosp .. since then we've built up a pretty comprehensive group of people with a range of talents.. at this time we're pretty close and closed..
[20:19] <@eyeballer> we believe in close controlled testing and then wipe public release so we'll probably follow a similar method here
[20:19] <@agrabren> The exploit will come, with or without more stuff.
[20:20] <@joshua_> dragonfyre13 asked a good question: should other people working on developing exploits continue? The answer is 'absolutely' -- we will need them some day (well, hopefully not, but...).
[20:20] <@agrabren> As for continuing looking for holes: You're welcome to, but this has no real damage to anything else on the phone.
[20:21] <@joshua_> Someone suggested trying to trade the exploit with HTC: that's called extortion, and is bad for the community as a whole. Everyone obviously would love to work with HTC to build a platform to develop on, but bargaining with exploits is not how to do it.
[20:21] <@agrabren> If I reboot, what happens: Well, right now, it's temp root and it's gone. We're hoping by this weekend to have it sticky, and running Titanium Backup
[20:21] <@agrabren> Any changes to /system at this time will definitely revert.
[20:22] <@agrabren> Joshua: whats the difference between unlocked and s-off?
[20:23] <@joshua_> S-OFF used to refer to a specific configuration in which the radio told hboot that it was "OK" to flash anything it wanted, essentially.
[20:23] <@joshua_> (It also would refer to an ENG hboot.)
[20:23] <@joshua_> On eMMC, that state no longer exists.
[20:23] <@agrabren> OTA: Risky. Until we crack the nand lock and get S-OFF, it's possible for HTC to make things different or harder with a new HBOOT.
[20:24] <@joshua_> unlocked is not really a term that applies to CDMA phones; in general, it refers to the ability to put a SIM card from a differnet carrier into your phone. the "NAND lock", or write protection, or anything like that does apply, and refers to being able to write /system
[20:24] <@joshua_> (I think that's needed for Cyanogen.)
[20:26] <@eyeballer> [23:26:28] <lowetax> any malware concerns with this hole ?
[20:26] <@joshua_> Yes.
[20:27] <@agrabren> Yes. Any security hole that gives a user elevated permissions is a malware concern.
[20:28] <@eyeballer> oblivion2k> will we lose radio, wimax, hboot, etc with this root method?
[20:28] <@eyeballer> with just temp root, no
[20:28] <@eyeballer> unless you try to mess with those things yourself
[20:28] <@joshua_> agrabren, By the way, traditionally, unrevoked's policy is to report to vendors holes that appear to be 'intentional' (see skyagent), but to package and protect vulnerabilities like that the best we can.
[20:29] <@agrabren> This was a non-intentional hole.
[20:30] <@joshua_> Yeah. Traditionally, unrevoked just packs and protects that sort of thing until someone finally reverses them.
[20:30] <@joshua_> We'd love to be able to do the responsible disclosure thing, but this is an arms race...
[20:30] <@joshua_> We'd love to be able to do the responsible disclosure thing, but this is an arms race...
[20:30] <@zule> htc created the arms race, we just fight fair
[20:31] <@joshua_> (on the 'really bad' things, we do indeed do responsible disclosure insstead)
[20:32] <@agrabren> Hopefully, we've answered the majority of questions people keep asking.
[20:32] <@joshua_> Please don't ask for more details beyond what agrabren's provided so far.
[20:33] <@agrabren> We promise, info will be flowing. But we wanted to let people know, it has happened.
[20:33] <@agrabren> Thanks for everyone's time, and making me feel special.
[20:33] <@agrabren> I appreciate all the positive responses we've gotten! #teamwin!!!
[19:38] <@agrabren> So there are a couple of big questions, and sadly, a few we can't answer yet.
[19:40] <@agrabren> Yes, I called it fre3vo. In tribute to Shift.
[19:41] <@agrabren> It utilizes a hole we found in the software on the EVO 3D.
[19:42] <@agrabren> The reason we're being so secretive about the hole is because we don't want forced OTAs to close it.
[19:42] <@agrabren> It's a serious security vulnerability, beyond the scope of getting root.
[19:42] <@agrabren> As for the "violent" nature of it, we found a hole and tossed in a grenade.
[19:42] <@agrabren> Blew my phone to s***.
[19:43] <@agrabren> But in blowing it to s***, we confirmed that we had, in fact, found a way in that we could exploit.
[19:43] <@agrabren> After a factory reset of the device (I managed to get Android to only mount /data as ro. Let me tell you, this *will* f*** you up)
[19:44] <@agrabren> We stepped back into the hole with flashlights.
[19:44]<@agrabren> After a lot of snooping around inside the guts, I found a way to get adbd to run as root.
[19:44] <@agrabren> What devices will this work on? Well, the EVO 3D. We believe it will work on the Sensation 4G.
[19:45] <@agrabren> I don't believe this particular hole will work on the old sense 1.0 devices.
[19:47] <@agrabren> Is this specific to android or could it be used on generic linux os's? We can't answer this question at this time.
[19:48] <@agrabren> The reason we can't answer is we really want everyone to be able to take advantage of the hole, instead of it being patched.
[19:48] <@agrabren> We're talking days at most.
[19:49] <@agrabren> It should apply to some other devices, but there will be work on a device-by-device basis.
[19:50]<@agrabren> We don't know exactly how similar the devices are in the software, so we don't know if the internal offsets are different.
[19:51] <@agrabren> We are using a smart algorithm for protecting the devices from things going wrong. It only exploits if everything checks out.
[19:53] <@agrabren> We haven't talked with anyone about this stuff yet.
[19:54] <@agrabren> I do actually have a real job, as well as a family.
[19:55] <@agrabren> So, let's go ahead with questions...
[19:56] <+momentdroid> i'll ask the question basically everyone wants to hear, eta? lol
[19:56] <@agrabren> The ETA is likely this weekend. Probably late weekend.
[19:58] <@agrabren> Will this exploit cause damage: No. I don't like dangerous.
[20:02] <@agrabren> Can this exploit be reversed? Because we're only talking temp-root, it is reverted on reboot.
[20:02] <@agrabren> When we get to perm root, that will also be reversable.
[20:02] <@agrabren> My next work is to help unlock the device.
[20:05] <@agrabren> We don't believe it will work on the EVO 4G.
[20:06] <@agrabren> The exploit will be first sent to the vendors involved for them to fix before the rest of the world.
[20:07] <@agrabren> Sensation 4G: We believe it will work there. I need a person in North Austin willing to help with this, since I don't have one.
[20:07] <@agrabren> Otherwise, it will happen after the EVO 3D one comes out.
[20:10] <@agrabren> Joshua, I was looking for you to field all the questions on s-off, and what nand-locked devices are like.
[20:10] <@agrabren> Short of "where are we at for s-off".
[20:11] <@joshua_> Sure. This device is eMMC, and also has a signed bootloaer. This means that S-OFF is a ways further out than just soft root.
[20:11] <@joshua_> I can answer from my experience working closely with the AlphaRev X team that S-OFF on Sensation is goign to be harder than previous devices we've worked with.
[20:11] <@joshua_> I think EVO 3D is very similar to Sensation, so I suspect the same to be true there.
[20:12] <@joshua_> Someone asked me what eMMC is: Older phones (EVO 4G) are based on NAND flash; eMMC is a different type of flash.
[20:12] <@joshua_> eMMC has different types of write protection that we haven't worked with before.
[20:13] <@agrabren> And we plan to work together to solve some of these issues.
[20:15] <@agrabren> you think this particular exploit will eventually lead to s-off, or is it too early to tell?
[20:15] <@agrabren> (Sending this one to joshua_
[20:15] <@joshua_> agrabren, the AlphaRevX exploit requires userspace root, and that was one of the big things holding it back on gbread
[20:16] <@joshua_> so I guess the short answer is "yes, this will pave the way, but no guarantees"
[20:16] <@joshua_> "it doesn't directly make it possible, but it makes it not impossible"
[20:16] <@agrabren> Eyeballer: Please field the often question: Can we be beta testers, how do we join #teamwin?
[20:16] <@joshua_> I'll open the floor up for more questions in a moment. Please try to keep them related.
[20:17] <@eyeballer> agrabren: seems to be the question of the day =P
[20:18] <@eyeballer> #teamwin was formed back when shinzul and toastcfh were working on reverse engineering wimax from sense to aosp .. since then we've built up a pretty comprehensive group of people with a range of talents.. at this time we're pretty close and closed..
[20:19] <@eyeballer> we believe in close controlled testing and then wipe public release so we'll probably follow a similar method here
[20:19] <@agrabren> The exploit will come, with or without more stuff.
[20:20] <@joshua_> dragonfyre13 asked a good question: should other people working on developing exploits continue? The answer is 'absolutely' -- we will need them some day (well, hopefully not, but...).
[20:20] <@agrabren> As for continuing looking for holes: You're welcome to, but this has no real damage to anything else on the phone.
[20:21] <@joshua_> Someone suggested trying to trade the exploit with HTC: that's called extortion, and is bad for the community as a whole. Everyone obviously would love to work with HTC to build a platform to develop on, but bargaining with exploits is not how to do it.
[20:21] <@agrabren> If I reboot, what happens: Well, right now, it's temp root and it's gone. We're hoping by this weekend to have it sticky, and running Titanium Backup
[20:21] <@agrabren> Any changes to /system at this time will definitely revert.
[20:22] <@agrabren> Joshua: whats the difference between unlocked and s-off?
[20:23] <@joshua_> S-OFF used to refer to a specific configuration in which the radio told hboot that it was "OK" to flash anything it wanted, essentially.
[20:23] <@joshua_> (It also would refer to an ENG hboot.)
[20:23] <@joshua_> On eMMC, that state no longer exists.
[20:23] <@agrabren> OTA: Risky. Until we crack the nand lock and get S-OFF, it's possible for HTC to make things different or harder with a new HBOOT.
[20:24] <@joshua_> unlocked is not really a term that applies to CDMA phones; in general, it refers to the ability to put a SIM card from a differnet carrier into your phone. the "NAND lock", or write protection, or anything like that does apply, and refers to being able to write /system
[20:24] <@joshua_> (I think that's needed for Cyanogen.)
[20:26] <@eyeballer> [23:26:28] <lowetax> any malware concerns with this hole ?
[20:26] <@joshua_> Yes.
[20:27] <@agrabren> Yes. Any security hole that gives a user elevated permissions is a malware concern.
[20:28] <@eyeballer> oblivion2k> will we lose radio, wimax, hboot, etc with this root method?
[20:28] <@eyeballer> with just temp root, no
[20:28] <@eyeballer> unless you try to mess with those things yourself
[20:28] <@joshua_> agrabren, By the way, traditionally, unrevoked's policy is to report to vendors holes that appear to be 'intentional' (see skyagent), but to package and protect vulnerabilities like that the best we can.
[20:29] <@agrabren> This was a non-intentional hole.
[20:30] <@joshua_> Yeah. Traditionally, unrevoked just packs and protects that sort of thing until someone finally reverses them.
[20:30] <@joshua_> We'd love to be able to do the responsible disclosure thing, but this is an arms race...
[20:30] <@joshua_> We'd love to be able to do the responsible disclosure thing, but this is an arms race...
[20:30] <@zule> htc created the arms race, we just fight fair
[20:31] <@joshua_> (on the 'really bad' things, we do indeed do responsible disclosure insstead)
[20:32] <@agrabren> Hopefully, we've answered the majority of questions people keep asking.
[20:32] <@joshua_> Please don't ask for more details beyond what agrabren's provided so far.
[20:33] <@agrabren> We promise, info will be flowing. But we wanted to let people know, it has happened.
[20:33] <@agrabren> Thanks for everyone's time, and making me feel special.
[20:33] <@agrabren> I appreciate all the positive responses we've gotten! #teamwin!!!
1 - 1 of 1 Posts
1 - 1 of 1 Posts
- This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Android OS Forum
A forum community dedicated to Android phone owners and enthusiasts. Come join the discussion about applications, recovery, developments, styles, reviews, accessories, classifieds, and more for Unbuntu, Google Nexus, HTC, Motorola, Samsung or other Android models!
Full Forum Listing
Explore Our Forums
Recommended Communities
